[Senate Hearing 115-862] [From the U.S. Government Publishing Office] S. Hrg. 115-862 THE DEPARTMENT OF DEFENSE'S ROLE IN PROTECTING DEMOCRATIC ELECTIONS ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY of the COMMITTEE ON ARMED SERVICES UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ FEBRUARY 13, 2018 __________ Printed for the use of the Committee on Armed Services [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via: http://www.govinfo.gov ______ U.S. GOVERNMENT PUBLISHING OFFICE 44-117 PDF WASHINGTON : 2021 COMMITTEE ON ARMED SERVICES JOHN McCAIN, Arizona, Chairman JACK REED, Rhode Island JAMES M. INHOFE, Oklahoma BILL NELSON, Florida ROGER F. WICKER, Mississippi CLAIRE McCASKILL, Missouri DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut JONI ERNST, Iowa JOE DONNELLY, Indiana THOM TILLIS, North Carolina MAZIE K. HIRONO, Hawaii DAN SULLIVAN, Alaska TIM KAINE, Virginia DAVID PERDUE, Georgia ANGUS S. KING, JR., Maine TED CRUZ, Texas MARTIN HEINRICH, New Mexico LINDSEY GRAHAM, South Carolina ELIZABETH WARREN, Massachusetts BEN SASSE, Nebraska GARY C. PETERS, Michigan TIM SCOTT, South Carolina Christian D. Brose, Staff Director Elizabeth L. King, Minority Staff Director Subcommittee on Cybersecurity MIKE ROUNDS, South Dakota, BILL NELSON, Florida Chairman CLAIRE McCASKILL, Missouri DEB FISCHER, Nebraska KIRSTEN E. GILLIBRAND, New York DAVID PERDUE, Georgia RICHARD BLUMENTHAL, Connecticut LINDSEY GRAHAM, South Carolina BEN SASSE, Nebraska (ii) C O N T E N T S February 13, 2018 Page The Department of Defense's Role in Protecting Democratic 1 Elections. Butler, Robert J., Cofounder and Managing Director, Cyber 4 Strategies, LLC. Conley, Heather A., Director, Europe Program, Center for 9 Strategic and International Studies. Harknett, Dr. Richard J., Professor of Political Science and Head 14 of Political Science Department, University of Cincinnati. Sulmeyer, Dr. Michael L. Director, Cyber Security Project, Belfer 18 Center for Science and International Affairs, Harvard University. APPENDIX A The State and Local Election Cybersecurity Playbook............ 36 Election Cyber Incident Communications Coordination Guide...... 106 Election Cyber Incident Communications Plan Template........... 140 (iii) THE DEPARTMENT OF DEFENSE'S ROLE IN PROTECTING DEMOCRATIC ELECTIONS ---------- TUESDAY, FEBRUARY 13, 2018 United States Senate, Subcommittee on Cybersecurity, Committee on Armed Services, Washington, DC. The Subcommittee met, pursuant to notice, at 2:34 p.m. in Room SR-222, Russell Senate Office Building, Senator Mike Rounds (Chairman of the Subcommittee) presiding. Subcommittee Members present: Senators Rounds, Fischer, Sasse, Nelson, McCaskill, Gillibrand, and Blumenthal. OPENING STATEMENT OF SENATOR MIKE ROUNDS Senator Rounds. Good afternoon. The Cybersecurity Subcommittee meets this afternoon to receive testimony on the Department of Defense's (DOD) role in protecting the U.S. election process. The witnesses are Mr. Bob Butler, Co-founder and Managing Director of Cyber Strategies, LLC; Adjunct Senior Fellow at the Center for a New American Security; Senior Vice President of Critical Infrastructure Protection Operations for AECOM; Ms. Heather Conley, the Senior Vice President for Europe, Eurasia, and the Arctic and Director of the Europe Program at the Center for Strategic and International Studies; Dr. Richard Harknett, head of political science at the University of Cincinnati and a former scholar in residence at U.S. Cyber Command and the National Security Agency; and Dr. Michael Sulmeyer, the Director of the Cyber Security Project at the Harvard Kennedy School. At the conclusion of Ranking Member Nelson's comments, we will ask our witnesses to make their opening remarks. After that, we will have a round of questions and answers. There is no dispute about what Russia did during the 2016 election cycle. There is clear evidence that Russia attempted to undermine our democratic process through the hacking of independent political entities, manipulation of social media, and use of propaganda venues such as Russia Today. Evidence to date indicates that no polls or State election systems were manipulated to change the outcome of the vote. However, there was evidence of Russian probing of certain election systems in 21 states. The Department of Defense has a critical role to play in challenging and influencing the mindset of our cyber adversaries and defending the homeland from attacks, attacks that could include cyber attacks by other nations against our election infrastructure. We look forward to the Department approaching these issues with a heightened sense of urgency. The threat is not going away. Just a couple of weeks ago, the Director of the Central Intelligence Agency warned that Russia will seek to influence the upcoming midterm elections. The White House National Security Advisor stated that they will seek to influence the Mexican presidential campaign as well. This is all in addition to Russian attempts to influence the elections in France and Germany last year. Each of us on this panel has been quite vocal about the need for a strategy that seizes the strategic high ground in cyberspace. Whether you call it deterrence or something else, we need a strategy that moves out of the trenches and imposes costs on our adversaries. The lack of consequences for the countless attacks over the past decade has emboldened our adversaries and left us vulnerable to emboldened behavior. The attacks we experienced during the 2016 election are just the latest rung on that escalation ladder. As long as our adversaries feel that they can act with impunity, they will press further. Our witnesses offer unique perspectives on the challenges we face. We look to them to help us understand why our posture restraint has not worked, if we can reverse the damage already done, and what it will take to develop and implement a strategy that limits our exposure and imposes costs on malicious behavior. We invited Dr. Richard Harknett to explain his theory of cyber persistence, specifically on how our failure to tailor our strategies to the uniqueness of the cyber domain limits our ability to confront challenges we face. Our adversaries actively exploit us because they see great benefit and little consequence in doing so. I agree with Dr. Harknett that the Cold War models of deterrence will not work and look forward to hearing what he believes it will take to influence the mindset of our adversaries. In addition to his writings on cyber deterrence and election attacks, Dr. Michael Sulmeyer has focused a great deal of his research on the organizational challenges we face as a government. We understand that Dr. Sulmeyer is working on a paper addressing some of the challenges we examined during our full committee hearings in October on the whole-of-government approach to cybersecurity. We look forward to hearing more from Dr. Sulmeyer on the gaps and the seams he sees in our organizational model and what lessons we can learn from analyzing like the British. Ms. Heather Conley provides an expertise in Russian politics and foreign policy. Russia has yet to face serious consequences in the cyber or other domains for its 2016 elections interference. We look forward to Ms. Conley's testimony on how the United States can tailor and implement these penalties and how the Department can best deter or dissuade further Russian election meddling. We also look forward to the testimony of Mr. Bob Butler who brings extensive cyber experience in both the Department of Defense and the private sector. Mr. Butler has been involved in numerous studies on the cyber deterrence, including the recent Defense Science Board Task Force on Cyber Deterrence. Let me close by thanking our witnesses for their willingness to appear today before our subcommittee. Senator Nelson? STATEMENT OF SENATOR BILL NELSON Senator Nelson. Thank you, Mr. Chairman. First of all, I want to make sure that, since this is a hearing on elections, everybody understands that this Senator feels that this is about the foundation of our democracy and that we as a government ought to be doing more to defend ourselves. The second thing I want to make sure everybody understands is that this is not a partisan issue. This can happen to either party or the non-party candidates as well. It ought to be all hands on deck. The chairman and I in public and in closed meetings because of the clearance level--we have been quite disturbed about wondering if we are doing as much as we should as a government to protect ourselves. So in a recent closed hearing of this subcommittee, the Department of Defense demonstrated that it is not taking appropriate steps to defend against and deter this threat to our democracy. So, Mr. Chairman, I join you in welcoming these witnesses and hope that some practical suggestions are going to come out. Now, I want to mention just a few things. First, the Department has cyber forces designed and trained to thwart attacks on our country through cyberspace, and that is why we created the Cyber Command's National Mission Teams. Members of this subcommittee, Senator Blumenthal, Senator Shaheen--we all wrote to the Secretary of Defense last week that they, the Department, ought to be assigned to identify Russian operators responsible for the hacking, stealing information, planting misinformation, and spreading it through all the botnets and fake accounts on social media. They ought to do that. The Cyber Command knows who that is. Then we ought to use our cyber forces to disrupt this activity. We are not. We should also be informing the social media companies of Russia's fake accounts and other activities that violate those companies' terms of service so that they can be shut down. Second I would ask us to look at that as the Department's own Defense Science Board Task Force on Cyber Deterrence concluded last year--we ought to show Mr. Putin that two can play in this game. We ought to consider information operations of our own to deter Mr. Putin like exposing his wealth and that of his oligarchs. Third, I would suggest the Department should ensure that its active and reserve component cyber units are prepared to assist the Department of Homeland Security and the governors to defend our election infrastructure, not just after the attack but proactively before and during the Russian attacks. Fourth, I would suggest that the Department must integrate capabilities and planning into cyber warfare and information warfare to conduct information warfare through cyberspace as last year's defense bill mandated. Our adversaries recognize the importance of this kind of integration, but today cyber warfare and information warfare are separated in the Department of Defense and involve multiple organizations. Fifth, I would recommend, as one of our witnesses I think will testify today, the Department must help develop an effective whole-of-government response to Russia's strategic influence operation through things like a joint interagency task force and a fusion center. Our colleagues on the Foreign Relations Committee have proposed something similar. The threat is not going away. It is likely to intensify. As our intelligence community has been warning and as DNI [Director of National Intelligence] Coats has just testified to the Senate Intelligence Committee, that threat is not going away. So the 2018 elections are upon us. We cannot sit idly by and watch this happen again. Thank you, Mr. Chairman. Senator Rounds. Thank you. Welcome to all of our panelists here today, our witnesses. We would ask that, first of all, you limit your opening remarks to 5 minutes, but your entire statements will be made a part of the record. We would like to begin with Mr. Butler. STATEMENT OF ROBERT J. BUTLER, COFOUNDER AND MANAGING DIRECTOR, CYBER STRATEGIES, LLC Mr. Butler. Thank you, Mr. Chairman, Ranking Member Nelson, and distinguished members of the Cyber Subcommittee. It is a privilege to be here. Thank you for the invitation. My views really represent my views and not that of any particular organization. I will just quickly hit the highlights of my written statement. They track very closely with a lot of the opening comments. My comments are really focused around my assessment of the threat in the electoral processes after interviewing a few different States; secondly, recommendations for the Federal Government partnered with a whole-of-America campaign; and then thirdly, what this subcommittee can do going forward. I have been watching the Russian influence operations threat for some time in uniform and out of uniform. Our ability to counter Russian influence operations is not only a function of what we know about the threat but our willingness and our ability address that threat through hardening resilience and other countermeasures. As I have looked at the election infrastructure in a few different States, we have learned from 2016, and our known vulnerabilities have been remediated. Whether you look at the voting registration systems in the election infrastructure proper, we are making progress there. However, the States do not know how to address the disinformation campaign. That is a struggle and the threat still remains very, very high. From my perspective looking at this particular threat, what we are talking about today is one line of operation within what I think has to be addressed through a National Security Council-led task force, a whole-of-America campaign not too much dissimilar from the NCTC [National Counterterrorisim Center], but with a strong, empowered private sector element. Again, I go back to the idea of a whole-of-America process. Two key components inside of this. One is the idea of having an element that is focused on strengthening States' election infrastructure and hardening American citizens, deterrence by denial some would say. A second component focused on cost imposition from botnet disruptions to other kinds of sanctioning activities, importantly reinforced multilaterally. I am a big proponent of an International Cyber Stability Board, a coalition of the willing, working to ensure the most effective way of doing cost imposition. Those two components then supported by an integrated fusion center that provides situational awareness, combines the best of intelligence both in the commercial and from the national security community with law enforcement and active defense actions, focused on a campaign that is centralized in its planning but decentralized in its execution. From my perspective, it really requires both cultural and legislative enablers. Culturally the President must lead, must rally the nation. There are opportunities already this week that can be used to help with that. The infrastructure proposal is a great example. I do not see anything about resilience in the infrastructure proposal. We should have a way of incorporating, especially as we are building new infrastructure, methods and strategies and incentives for strengthening the infrastructure here in this country. Additionally, we need to leverage the best of U.S. competencies across America. Defense is excellent at campaign planning and exercise. U.S. intelligence agencies, combined with web-scale companies, do a great job in intelligence generation and fusion. Web-scale companies are very good and growing in their ability to rapidly identify disinformation campaigns and response, and we will need some help from the legislative side. Specifically for DOD [Department of Defense], five recommendations that track very closely with what Senator Nelson was talking about. I think to jump start this NSC [National Security Council]-sponsored task force, we should coordinate with the Secretary of Defense to immediately stand up a JIATF, a joint interagency task force. Inside of that, again empowered private sector players. We typically do not think about that, but this really is something where we need to work together in a public-private partnership. We need to make arrangements with State and local officials through DHS [Department of Homeland Security] and the National Guard Bureau. The second recommendation really is to the NGB and working with the National Guard Bureau to really not only inventory what we have from a cyber and IO perspective. We have cyber units. We information operations units. But to begin to scale them to help the States and to help us as we think about incident response in general. I think they could be aligned with FEMA [Federal Emergency Management Agency] regions. I think they could be aligned in a lot of different ways, but we need to first get organized. The third is to actually have a session where we discuss courses of action. It would have to be a closed session. But I think that is where the request for authorities, new authorities, requests for new resources come out. It really gets at the point of not only looking at offensive actions but defensively what we are in store for as we begin to move offensively and what we are going to do from a continuity of government, continuity of business perspective. The last two relate to Senator Nelson's comments with regard to the DSB [Defense Science Board] task force. I think we should continue to push with the NDAA [National Defense Authorization Act] and operationalizing the rest of the Cyber Deterrence Task Force recommendations. I would advocate that this committee should have its own campaign of exercises to help it understand where the adversary is going and to be able to advance ideas with regard to looking at threat and countermeasures. I stand ready to answer any questions that you have. [The prepared statement of Mr. Butler follows:] Prepared Statement by Robert J. Butler Mr. Chairman, Ranking Member Nelson, and distinguished members of the Cyber Subcommittee, thank you for inviting me to speak on the topic of countering Russian influence in the United States elections infrastructure. I would like to begin by noting that my opinions are mine and do not reflect the views of any organization. For more than 37 years, my work life has been about Information Technology (IT) and its application across Defense and other sectors. Along the way, I was afforded the opportunity to help guide the evolution of information warfare; information and cyberspace strategy and operations within the Department of Defense (DOD); and the United States Government (USG) as a planner and commander. My work in DOD included the stand-up of information operations (IO) organizations, development of IO campaign plans, and serving as the DOD lead in the first USG negotiation with the Russians on cyber arms control in 1998. I was also privileged to serve as the Director of Intelligence at U.S. Transportation Command (TRANSCOM) during Operations Enduring and Iraqi Freedom. I culminated my military career by commanding the intelligence operations organization that is now commonly referred to as NSA-Texas. After retirement from the United States Air Force (USAF), I served as the senior civilian executive for DOD's premiere joint information operations command before joining a U.S.-based global IT services firm as its Director of its Military Intelligence Programs. Returning to Government service in 2009, I served as the first Deputy Assistant Secretary of Defense (DASD) for Space and Cyber Policy. During my time as a DASD, I witnessed and was alarmed at the expansion of the cyber threat around the globe--specifically, China's rampant on-line theft of United States intellectual property and Russia's continued disruptive cyber-attacks in the Ukraine and other parts of the world. Since leaving government service in 2011, I have spent most of my time in the private sector. As a corporate Chief Security Officer and now as an AECOM \1\ security executive, I had the opportunity to build and implement enterprise security programs to countering foreign threats. Additionally, I have served and continue to serve as a consultant to various Defense Science Board (DSB) task forces including the recent cyber deterrence task force. It is from this experience base, I address you today. I've organized my remarks around three topics: 1) my assessment of the Russian threat, specifically to our electoral process; 2) my recommendations for what the federal-- including DOD--and state governments, along with United States industry should do to further counter Russian or any other foreign government influence; and 3) my suggestions for how this committee could help in this national security work. While my testimony focuses on enhancing the resilience of the U.S. electoral process, I have also made some suggestions regarding the resilience of critical infrastructures more generally as the threats and responses overlap. --------------------------------------------------------------------------- \1\ AECOM is an American multinational engineering firm that provides design, consulting, construction, and management services to a wide range of clients. AECOM has approximately 87,500 employees, and is number 156 on the 2016 Fortune 500 list. (2018, January 01). About AECOM. Retrieved February 06, 2018, from http://www.aecom.com/about- aecom/ --------------------------------------------------------------------------- the russian threat and our election process. Our ability to counter Russian influence operations is a function of what we know about the Russian threat and our ability to address that threat through hardening, resilience, and other countermeasures. The National Security Strategy (NSS) and the National Defense Strategy (NDS) identify Russia as ``attempting to erode American security and prosperity'' including ``using information tools in an attempt to undermine the legitimacy of democracies.'' \2\ As reported by our intelligence agencies, the Russian Federation has been engaged in a campaign aimed at interference with our 2016 presidential election process. Russian intelligence obtained and maintained access to elements of multiple United States state or local electoral boards. Russia's influence campaign has been multi-faceted and has included Russian Government cyber and media activities along with the use of third party intermediaries and social media ``trolls.'' \3\ Importantly, we have no indication that this Russian influence campaign against democratic elections has stopped. In fact, Russian Government interference in European national elections leads us to a very different judgment, namely that this type of Russian aggression is growing. \4\ NATO assessments about Russia's capabilities and intent confirm this assessment. \5\ CIA Director Pompeo has stated that Russia can be expected to meddle in the 2018 elections. \6\ --------------------------------------------------------------------------- \2\ Trump, D. (2017, December). National Security Strategy. https:/ /www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017- 0905.pdf pp. 2, 14. \3\ Director of National Intelligence. (2016, January). Background to ``Assessing Russian Activities and Intentions in Recent U.S. Elections''. https://www.dni.gov/files/documents/ICA--2017--01.pdf \4\ Greenberg, A. (2017, June 02). NSA Director Confirms That Russia Really Did Hack the French Election. Retrieved February 06, 2018, from https://www.wired.com/2017/05/nsa-director-confirms-russia- hacked-french-election-infrastructure/ \5\ Giles, K. (2016, November). Handbook of Russian Information Warfare. https://krypt3ia.files.wordpress.com/2016/12/fm--9.pdf \6\ Cohen, Z. (2018, January 31). CIA director Pompeo met top Russian spies. Retrieved February 06, 2018, from https://www.cnn.com/ 2018/01/30/politics/cia-director-pompeo-russia-spies/index.html --------------------------------------------------------------------------- A key focus of the Russian influence actions has been against the election infrastructure in our states. The threat to state electoral systems is dependent on the state election infrastructure architecture. Some states have highly automated infrastructure while others continue to employ paper ballot systems. In the latter case, digital interactions still exist with web interfaces for voter registration and election day voter verification along with the use of digital ballot counting machines which scan paper ballot and store results. Based on my conversations with Government representatives from geographically dispersed states, the integrity and quality of election infrastructure has improved since 2016. States have reviewed the exposure and configuration of their end-to-end voting system, and known areas of technical and procedural weaknesses have been remediated. \7\ Nonetheless, the threat to electoral processes remains high. For one, it is difficult to identify and nullify disinformation campaigns that are portrayed as news coverage. --------------------------------------------------------------------------- \7\ Department of Homeland Security. (2018, January). National Cyber Incident Coordination Center. https://www.dhs.gov/national- cybersecurity-and-communications-integration-center --------------------------------------------------------------------------- recommendations to counter russian influence in our election process. America has been and will continue to be involved in a campaign of continuous engagement and pressure from the Kremlin to weaken United States and allied critical infrastructure and democratic processes. To counter, we need a ``whole of America'' campaign approach aimed directly at preventing Russian or any other foreign government interference. This campaign must be led by a National Security Council (NSC)-sanctioned task force (not too dissimilar to the National Counter-Terrorism Center) with membership from empowered government agencies and industry representatives. One line of operation in this campaign is countering Russian interference to influence our electoral process. This standing national task force needs to have two synchronized components--one focused on continuous strengthening of the states' election infrastructure as well as ``hardening'' American citizens to Russian media and other cyber-enabled influence operations. Importantly, these activities should include a partnership with industry to regularly red team state election infrastructure; share relevant intel with state election and cybersecurity officials; bar Russian or other foreign online election material (just as we bar foreign election contributions;) continuously identify fake and harmful messages; and quickly disseminate the truth about USG actions. As a starting point, this USG-industry partnership could build off the actions already underway to counter on-line terrorist propaganda. \8\ --------------------------------------------------------------------------- \8\ Robertson, A. (2017, June 26). Facebook, Microsoft, Twitter, and YouTube launch anti-terrorism partnership. Retrieved February 06, 2018, from https://www.theverge.com/2017/6/26/15875102/facebook- microsoft-twitter-youtube-global-internet-forum-counter-terrorism. --------------------------------------------------------------------------- The second component of this task force should be focused to directly impose cost on the Russian Federation, including activities ranging from cyber-enabled social media operations and botnet disruptions to sanctions and other enforcement actions. Importantly, these cost imposition measures, when and where possible, need to be multilateral in nature, involving other allied nations and coordinated with appropriate private sector organizations. \9\ The formation of an International Cyber Stability Board (ICSB) of allied nations and industry partners could support rapid coordination and enforcement of actions across Internet infrastructure. The NSC staff should lead in the development of the ICSB. --------------------------------------------------------------------------- \9\ Frank Kramer, Bob Butler, and Catherine Lotrionte. (2017, November 06). Raising the Drawbridge with an ``International Cyber Stability Board''. Retrieved February 06, 2018, from https:// www.thecipherbrief.com/raising-drawbridge-international-cyber- stability-board. --------------------------------------------------------------------------- The two components should be supported by an integrated fusion center that enables continuous situational awareness and engagement through human capital intelligence, intelligence at large, law enforcement, and active defense actions. Although centrally planned, execution of action must be decentralized to support persistent and agile engagement against Russian ``trolls,'' bots, and other surrogates of the Russian Government. To enable this type of organization and ensure its success will require both cultural and legislative changes. The President needs to rally the U.S. Government and U.S. industry. Infrastructure resilience and countermeasures need to be part of the President's ``call to action'' this year. Additionally, we need to leverage the best U.S. organizational core competencies to include the following:Defense for campaign planning and exercise, U.S. Intelligence Agencies and industry for rapid intelligence generation and fusion, Webscale companies for rapid identification of disinformation campaigns and response, Congress for potentially changing laws like the Computer Fraud and Abuse Act (CFAA) and enabling Government and industry to work together to actively defend this nation. \10\ --------------------------------------------------------------------------- \10\ McCain, U. S. (2017, October). Press Releases. Retrieved February 06, 2018, from https://www.mccain.senate.gov/public/index.cfm/ 2017/10/mccain-klobuchar-warner-introduce-legislation-to-protect- integrity-of-u-s-elections-provide-transparency-of-political-ads-on- digital-platforms. https://tomgraves.house.gov/uploadedfiles/ discussion_draft_active_cyber_defense_certainty _act_ 2.0_rep._tom_graves_ga-14.pdf.; https://cchs.gwu.edu/sites/ cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf. and https://www.mccain.senate.gov/public/index.cfm/2017/10/mccain- klobuchar-warner-introduce-legislation-to-protect-integrity-of-u-s- elections-provide-transparency-of-political-ads-on-digital-platforms. --------------------------------------------------------------------------- On the international front, it is critical to align our efforts with our allies and identify appropriate ``red lines'' for actions. For example, these would include attempts to hack or disrupt our electrical grid and voting machines. \11\ --------------------------------------------------------------------------- \11\ Miller, J. (2018, January). Navigating Dangerous Pathways. Retrieved February 06, 2018, from https://www.cnas.org/publications/ reports/navigating-dangerous-pathways?utm_medium =email&utm _campaign=Project Pathways 3 Report Release&utm_content=Project Pathways 3 Report Release%2BCID_2bd61d40546a491ed2980e0568645014&utm_source=Campaign Monitor &utm_term=Navigating Dangerous Pathways A Pragmatic Approach to United States-Russian Relations and Strategic Stability --------------------------------------------------------------------------- proposals for the cyber subcommittee and sasc. To ``jump start'' the stand-up of an NSC-sponsored national task force, the SASC should coordinate with the Secretary of Defense in immediately establishing a joint interagency task force to begin and accelerate counter-Russian influence campaign planning. Key private sector elements from the Defense Industrial Base and webscale companies should be included as needed. Also, appropriate working arrangements with state and local officials through the Department of Homeland Security (DHS) and the National Guard Bureau (NGB) should be created. The SASC through its oversight jurisdiction should then monitor the progress of the task force. To further support the stand-up of the new national task force for countering Russian or other foreign government influence, I recommend the SASC direct the NGB, in conjunction with U.S. Cyber Command (CYBERCOM), to inventory and certify all cyber capable National Guard assets that could augment state resiliency and federal efforts. Working with other committees, the SASC should then develop a statute to grow ten NGB ``cross-state mutual assistance'' teams as certified active defense teams to work alongside Federal Emergency Management Agency (FEMA) regional leads, other government and industry partners at the state and federal level. The SASC should direct the Defense Leadership Team to develop Defense-Defense Industrial Base Courses of Action (COA) to support the new national task force, and to provide in a closed session a summary of these COAs along with new resources and authority requests to the Committee. Related to this point, the SASC should work with the DOD and other Committees to update all statutes for enabling Defense counter- influence actions at home and abroad. To deter further adversary action, we must harden our critical infrastructure. This includes the election infrastructure, but also all infrastructure which ensures national security, public safety and democratic processes. From a defense standpoint, this starts with the resilience of our nuclear strike capabilities, non-nuclear capabilities such as conventional strike, missile defense and offensive cyber. Specific recommendations are included in the 2017 DSB report on Cyber Deterrence. \12\ The SASC should continue to act to operationalize these recommendations as part of developing the next National Defense Authorization Act. --------------------------------------------------------------------------- \12\ Defense Science Board. (2017, February). Task Force on Cyber Deterrence. https://www.acq.osd.mil/dsb/reports/2010s/DSB- CyberDeterrenceReport_02-28-17_Final.pdf. --------------------------------------------------------------------------- Finally, the Committee should set up its own campaign of ``table top'' exercises that would help members to better understand different adversary scenarios which could involve defense capabilities and highlight the need to the Committee for other Congressional actions in countering Russian influence. Thank you again for the opportunity to share these thoughts. I stand ready to help the Committee as we seek to better protect and grow our nation. Senator Rounds. Thank you, Mr. Butler. Ms. Conley? STATEMENT OF HEATHER A. CONLEY, DIRECTOR, EUROPE PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES Ms. Conley. Thank you so much, Chairman Rounds, Ranking Member Senator Nelson, and esteemed colleagues. Thank you for this very timely opportunity to speak to you this afternoon and what a timely moment as United States intelligence agencies have now assessed that Russia will continue to make bold and more disruptive cyber operations focused on the midterm elections. CIA [Central Intelligence Agency] Director Mike Pompeo also stated publicly that he fully expects that Russia will attempt to disrupt the United States midterm elections. So we know they are doing it and will do it, but we as a nation are not prepared to effectively combat what I believe is an intensifying disinformation operation and influence operation. I am a bit of a contrarian on this panel. I am not a cybersecurity expert. But what I am most concerned about is that we have 9 months, and the American people are not educated as to what is going to happen to them. That is where I think our focus must lie. I am less concerned about the mindset of President Putin. I know his mindset. I am more concerned about the mindset of the American people as we head towards this election. You asked us what role DOD could play to protect the U.S. elections. I think simply DOD, working with Congress, has got to demand a whole-of-government strategy to fight against this enduring disinformation and influence operation. We do not have a national strategy. Unfortunately, modernizing our nuclear forces will not stop a Russian influence operation. That is where we are missing a grave threat that exists in the American people's palm of their hand and on their computer screens. It is vital that we start talking publicly about this threat and educating the American people on a bipartisan basis. Tragically the Russian campaign has already deeply polarized our country, which only serves the Kremlin's interests. As one of the most trusted institutions in the United States, the Department of Defense must leverage that trust with the American people to mitigate Russian influence. Simply put, the Department of Defense has to model the bipartisan and fact-based action, behavior, and awareness that will help reduce societal division. This is about leadership. It is about protecting the United States, and as far as I can see, that is in the Department of Defense's job description. So a good place to begin is using DOD's extensive employee and military networks to provide timely policy guidance and statements about the threat the Russian influence operation poses to election security. Secretary Mattis and General Dunford should provide extensive public outreach to the defense community about the threat and how to counter it. Perhaps they should think about forming public service announcements. European governments have been very effective in warning their publics about the danger of Russian disinformation. France and Germany were very strong on that, but you have to put the message out and we have not. I offered one suggestion in my written testimony to look at how we could leverage the National Guard Bureau, working closely with State and local leaders in cooperation with the Department of Homeland Security, to enhance cybersecurity awareness and be able to detect patterns of influence, for example, if packed emails surface online in conjunction with the false rumors about potential electoral candidates. We need to start talking about this. Another instrument is the State Partnership Program. The National Guard has partnered with the Lithuanian military, the Estonian military. They can bring back to their States information about how Russian influence works. We are speaking today about protecting the homeland from continuous disinformation attacks, which alter how the average American thinks about their system of governance and their government. What the American people may end up thinking is that everyone is lying, everything is fake, and there is nothing that can be trusted. Then even the most trusted of American institutions, the Defense Department, the Justice Department, the FBI [Federal Bureau of Investigation], the Department of Homeland Security, the Office of the President, will mean very little to the American people. This is exactly how you break the internal coherence of the enemy's system according to Russian military doctrine. Unfortunately today we are doing most of this to ourselves without assistance from the Kremlin. This is a matter of urgency. We have 9 months. We need to educate the American people in addition to enhancing, of course, our cybersecurity protections. But as the French disinformation attacks showed, what many of the organizations that looked like that disinformation was coming from--it was coming from American organizations. This is designed to be hidden. It adapts. We have to educate the American people about what they are going to confront on the November elections. Thank you. [The prepared statement of Ms. Conley follows:] Prepared Statement by Heather A. Conley Mr. Chairman, Ranking Member Nelson and distinguished members of the Cybersecurity Subcommittee of the Senate Armed Services Committee, thank you for the invitation to speak before this important subcommittee on a topic that is of utmost importance to the future of the United States and its national security: The essential need to ensure that the American people have complete trust and confidence in the fairness and accuracy of U.S. elections, be they at the local, state or federal level. I am a professional outlier on this panel for I am not a cyber security expert, but I have spent the last several years at CSIS studying and understanding how malign Russian influence works in Europe, which we have described in detail in our seminal report, The Kremlin Playbook. \1\ We have studied in detail how Russian economic influence has worked in five European countries (Latvia, Hungary, Slovakia, Bulgaria and Serbia) over a ten-year period to understand how Russia infiltrates a democracy and erodes confidence and credibility in how that democracy works. We have extended our research to include six more European countries (Italy, Austria, the Netherlands, Romania, the Czech Republic and Montenegro) which will culminate in a new report, The Kremlin Playbook 2, in early 2019. The Central and Eastern European region has constituted an extensive Russian laboratory for a variety of influence operations for nearly two decades. European Governments and citizens have been exposed to a full spectrum of Russian influence tactics that have collapsed weakened governments as well as systemically important financial institutions. Russian influence has fomented societal unrest and altered Western-oriented government policies. --------------------------------------------------------------------------- \1\ Heather A. Conley and Ruslan Stefanov, The Kremlin Playbook, Center for Strategic and International Studies, October 2016, https:// www.csis.org/analysis/kremlin-playbook. --------------------------------------------------------------------------- Having said this, I believe Russian influence is less about physical cyber security (although cyberattacks are a useful tool) and more about (dis)information and influence superiority, which is how the Kremlin believes it will maintain its global preeminence as it addresses slow and long-term decline. According to the Czech Security Information Service, it is the Kremlin's goal to convince the average citizen that ``everyone is lying,'' which in turn will ``weaken society's will to resist'' Russian interests. \2\ --------------------------------------------------------------------------- \2\ Jakub Janda, ``How Czech President Milos Zeman Became Putin's Man,'' Observer, January 26, 2018, http://observer.com/2018/01/how- czech-president-milos-zeman-became-vladimir-putins-man/. --------------------------------------------------------------------------- Therefore, one of our first lines of defense is to develop a much deeper understanding of and a body of research into how Russia practices its influence operations as well as to study how European countries defend themselves against these ongoing operations. Europe has been at this longer than we have. Our knowledge has atrophied. Our defense and intelligence officials must have the closest possible relationship with our European partners to develop effective and sustainable countermeasures against Russian influence. Secondly, it needs to be understood that Russian influence does not simply occur in and around a national election; it is a continuous and holistic series of operations that are designed to break the ``internal coherence of the enemy system.'' \3\ It is true that elections are the most visible opportunity to harm a democracy when it is at its most vulnerable. We can observe that Russian influence operations and cyber infiltration may accelerate approximately two years prior to an election but this does not mean that Russian operations cease after an election. If anything, they simply adapt their methods to the outcome and alter their strategies to continue to degrade confidence in democratic institutions. Sustained Russian influence operations focus on those issues that are deeply divisive within a society, such as issues related to migration or questions of history or national, racial or religious identity. Today's Russian influence operations, just as their predecessor, Soviet active measures, exploit the weaknesses that are present within a society but they benefit from increasingly sophisticated means amid increasingly confused Western societies that are overwhelmed daily by a growing amount of information. --------------------------------------------------------------------------- \3\ Dimitry Adamsky, ``Cross-Domain Coercion: The Current Russian Art of Strategy,'' Proliferation Paper no. 54, Institut Francais des Relations Internationales, November 30, 2015, https://www.ifri.org/en/ publications/enotes/proliferation-papers/cross-domain-coercion-current- russian-art-strategy. --------------------------------------------------------------------------- My contribution to this important discussion is to offer you what I believe European countries have done successfully to combat malign Russian influence and disinformation as well as increase cyber- protection. But before doing this, I will address the questions posed to all the witnesses today. I do not believe the Department of Defense has a leading role to play in the cyber protection of U.S. elections. This is the purview of the Department of Homeland Security, which has struggled to develop effective policies to protect critical election infrastructure as distrust between the Federal Government and state as well as local election officials has grown. However, I believe the Department of Defense can play a role that is highly complementary to the work of the Department of Homeland Security by rebuilding trust between state and federal officials, and building knowledge and awareness of the ever- present threat. This will not be easy. State and local election officials are unable to receive classified intelligence briefings. Candidates for office may not have received cybersecurity training or know whom to contact should they become the victim of illicit hacking or an influence operation. We can learn from the French Government about how to combine military and civilian efforts to prevent cyber-destabilization. This month the French Ministry of Defense released its Military Planning Law, which prioritizes cyber risks and seeks to increase cooperation with telecommunication companies to enable them to scan networks for technical clues of ongoing or future cyberattacks. The civilian French Network and Information Security Agency (ANSSI) will provide a list of risk indicators to the Defense Ministry. These risk indicators only focus on technical aspects of security breaches and not on content (which is important to ensure First Amendment protections in the United States). The goal is to enhance early detection. A French white paper was released in conjunction with the planning law which outlined and defined the possible cyberattacks that France could suffer and identifies cyber-protection as a strategic priority. \4\ The strategic review of France's cyber defense sets out six main goals: prevention, anticipation, protection, detection, attribution, and reaction. \5\ The ANSSI provides cybersecurity awareness-raising seminars to politicians and parties. Could DOD produce something similar in cooperation with DHS? --------------------------------------------------------------------------- \4\ Martin Untersinger, ``Cybersecurite: le gouvernement veut mettre les telecoms a la contribution pour detecter les attaques,'' Le Monde, February 8, 2018, http://www.lemonde.fr/pixels/article/2018/02/ 08/cybersecurite-le-gouvernement-veut-mettre-les-telecoms-a- contribution-pour-detecter-les-attaques_5253808_4408996.html. \5\ Olivier Berger, ``Revue strategique de cyberdefense : l'Etat et les operateurs pourront collaborer pour traquer les attaques informatiques,'' La Voix du Nord, February 8, 2018, http:// defense.blogs.lavoixdunord.fr/archive/2018/02/08/l-etat-et-les- operateurs-pourront-collaborer-pour-traquer-le-15570.html --------------------------------------------------------------------------- While there is a role for the Defense Department to play in deploying offensive cyber capabilities should there be an attributable Russian attack on the United States election process, it would have to be part of a whole-of-government policy and strategy toward Russian influence operations, which at present the United States Government does not have--but urgently needs. Perhaps a more credible policy of deterrence would be for the United States Government to notify the Kremlin that future attributable attacks against United States elections would force the United States to seek to block Russia's access to the Society for Worldwide Interbank Financial Telecommunications (SWIFT). Although the Russian Government has developed an alternative system that may mitigate financial disruption internally, it could certainly hamper access to international bank accounts from the Kremlin's very wealthy inner circle--which may have more immediate impact. There are two additional areas that the Defense Department could explore to enhance disinformation awareness and cyber-protection prior to the 2018 mid-term and 2020 presidential elections. First, it could use its extensive employee and military network to provide timely policy guidance and statements about the threat that Russian influence operations pose to election security. Secretary Mattis and General Dunford should provide extensive public outreach to the defense community about the nature of the threat and how best to counter it to sensitize the DOD community to the threat of Russian influence and misinformation operations in a public service announcement format. Another idea would be to consider engaging the National Guard Bureau to help develop and facilitate training of state and local election officials to enhance cybersecurity awareness and to be able to detect patterns of influence (for example, hacked e-mails surfacing online in conjunction with the spread of false rumors about candidates) in partnership with the Department of Homeland Security. Those National Guard units that have participated in the State Partnership Program (SPP) have served and developed relationships with European partners, and could also be particularly helpful in sharing information about Russian influence operations (United States forces serving in these countries have been the recipients of Russian misinformation campaigns) through the State Adjutant Generals who are very well regarded among state and local officials. State Partnership Programs particularly well placed for this would be the Pennsylvania National Guard (Lithuania), the Maryland National Guard (Estonia), the Texas National Guard (the Czech Republic) and the Michigan National Guard (Latvia). \6\ --------------------------------------------------------------------------- \6\ See more at ``State Partnership Program,'' National Guard, http://www.nationalguard.mil/Leadership/Joint-Staff/J-5/International- Affairs-Division/State-Partnership-Program/. --------------------------------------------------------------------------- Simply put, the Defense Department must model the bipartisan and fact-based actions, behavior and awareness that will reduce societal division and help bridge the state and federal divide. As one of the most trusted institutions in the United States, the Defense Department must leverage that trust to mitigate malign Russian influence. Turning now to the European laboratory of Russian cyber- destabilization, there are several important lessons that the 2017 European election cycle has taught us (and that Europeans have learned): The necessity of having a paper ballot either as the ballot of record or as a back-up to an electronic ballot. The Dutch and German national elections use paper ballots. The German Government has also focused on protecting the software that tallies the election results to ensure that these systems are not vulnerable to cyberattack. A unified and all-political party message on what is at stake as well as how to detect and understand Russian influence. The French and German Governments were particularly effective at early notification regarding the likelihood of Russian influence and announcing when data breaches occurred. There was sufficient trust in the institutions and their leaders to ensure that a majority of the public took heed of the warning, which reduced the impact of the Russian misinformation campaign. French and German media organizations set up fact- checking teams and social media platforms that cooperated with authorities to protect sensitive accounts. The French polling commission went so far as to warn against illegitimate polls coming from Kremlin-affiliated outlets that did not fit legal criteria for accurate polling. \7\ --------------------------------------------------------------------------- \7\ Laura Daniels, ``How Russia hacked the French election,'' Politico, April 23, 2017, https://www.politico.eu/article/france- election-2017-russia-hacked-cyberattacks/. --------------------------------------------------------------------------- In Sweden, ahead of the September 2018 elections, the Government plans to create a new agency to enhance the public's ``psychological defense'' against influence by identifying, analyzing and reacting to Russian influence attempts; this would also take place through increased funding for the Swedish intelligence services, and cyber-defense. \8\ In January 2018, the Swedish head of security services (Sapo) warned against increased foreign influence operations ahead of the election, citing as examples forged letters of arms deals with Ukraine or fake reports that Muslims had vandalized a church. \9\ --------------------------------------------------------------------------- \8\ Andrew Rettman and Lisbeth Kirk, ``Sweden raises alarm on election meddling,'' January 15, 2018, https://euobserver.com/foreign/ 140542. \9\ Gordon Corera, ``Swedish security chief warning on fake news,'' January 4, 2018, http://www.bbc.com/news/world-europe0-42285332. --------------------------------------------------------------------------- Swedish Prime Minister Lofven plans to convene political parties to share protection and resilience strategies throughout the election process. The media would also take part in some of these meetings to bolster awareness of foreign influence. The chief of Sapo has increased information-sharing with European partners, and with other security services to better protect the election process; he argued that despite being a security service, openness was important to inform the public on the threat. \10\ --------------------------------------------------------------------------- \10\ 10 Ibid. --------------------------------------------------------------------------- The Swedish Government is also discussing the inclusion of critical thinking skills in primary school curricula, teaching children how to spot fake news. Swedish Government authorities have initiated a series of public news literacy activities to help the Swedish public discern how truthful and fact-based information that receive. \11\ --------------------------------------------------------------------------- \11\ ``A practical approach on how to cope with disinformation,'' Government of Sweden, October 6, 2017, http://www.government.se/ articles/2017/10/a-practical-approach-on-how-to-cope-with- disinformation/. --------------------------------------------------------------------------- The U.S. Government has taken none of these positive, proactive steps--to my knowledge. The most proactive work being done in this space is taking place in U.S. think-tanks and universities through independent funding. If we understood 2016 and 2017 to be exceptional years for all- encompassing Russian influence operations, we must reckon with the fact that 2018 has already witnessed significant Russian influence activities, particularly around the Czech presidential elections. There, in a close second-round election, the opponent (a former president of the Czech Academy of Sciences) of the preferred Russian candidate (outgoing president Milos Zeman) received an onslaught of disinformation during the second and final round of the campaign, from being called a pedophile to a Communist secret police agent who stole intellectual property. Milos Zeman won 51.4 percent to 48.6 percent. \12\ --------------------------------------------------------------------------- \12\ Marc Santora, ``Czech Republic Re-elects Milos Zeman, Populist Leader and Foe of Migrants,'' The New York Times, January 27, 2018, https://www.nytimes.com/2018/01/27/world/europe/czech-election-milos- zeman.html. --------------------------------------------------------------------------- We watch with particular concern the upcoming Italian parliamentarian elections (March 4), Montenegro's presidential elections (April 15), Latvian parliamentary elections (September/ October), Swedish parliamentary elections (September 8), and Moldovan elections (to be held before April 2019), where Russia has long- standing investments and would potentially seek to influence the outcome of elections in support of the Kremlin's interests. The very same methods that are being deployed to undermine the credibility of these elections are being actively pursued in the United States. This has been recently acknowledged by CIA Director Mike Pompeo. \13\ So perhaps the most immediate and important step the Department of Defense could take--in concert with Congress--is to demand a whole-of- government approach to minimize the impact of Russian influence operations in the United States. A disjointed approach by the United States Government and the daily undermining of the legitimacy of United States intelligence and law enforcement agencies does the Kremlin's work far better (and cheaper) than any Russian influence operation could. --------------------------------------------------------------------------- \13\ Scott Neuman, ``CIA Director Has `Every Expectation' Russia Will Try To Influence Midterm Elections,'' NPR, January 30, 2018, https://www.npr.org/sections/thetwo-way/2018/01/30/581767028/cia- director-has-every-expectation-russia-will-try-to-influence-mid-term- electio. Senator Rounds. Thank you, Ms. Conley. Dr. Harknett? STATEMENT OF DR. RICHARD J. HARKNETT, PROFESSOR OF POLITICAL SCIENCE AND HEAD OF POLITICAL SCIENCE DEPARTMENT, UNIVERSITY OF CINCINNATI Dr. Harknett. Chairman Rounds, Ranking Member Nelson, distinguished members, thank you for this opportunity to speak to you about this critical issue today. We have a big picture problem. Throughout international political history, states have at times misaligned their security approaches to the strategic realities in which they tried to secure themselves. In 1914, every general staff in Europe thought that security rested on the offense, and they found out devastatingly in World War I that they were tragically wrong. France in the 1930s said, okay, we learned from the last war. It is a defense-dominant environment. We are going to rest our security on the most technologically advanced defensive works in history. But again, the fundamentals had changed and the Germans simply went around the Maginot Line. Senators, with all due respect, I do not want to be France in the 1930s, but I think we are coming dangerously close to that myopia and the misalignment of strategy that follows from it. Our adversaries are working through a new seam in international politics. Cyberspace is that seam. Its unique characteristics have created a strategic environment in which our national sources of power can be exposed without having to violate traditional territorial integrity through war. What we have been witnessing are not hacks. They are not thefts. It is not even simple espionage. What we must accept is the fact that we are facing comprehensive strategic campaigns that undermine our national sources of power, be they economic, social, political, or military. Therefore, I agree we must develop a counter strategic campaign to protect those sources that has as its overall objective a more secure, stable, interoperable, and global cyberspace. With regard to the integrity of our elections, we have effectively left civilians, whose main focus is not security, on the front lines. That is not a recipe for success. Specific to the Department of Defense's role in producing greater security in, through, and from cyberspace, we must adopt a seamless strategy of what I call cyber persistence, in which our objective is to seize and maintain the initiative. We must defend forward as close to adversary capacity and planning as possible so that we can watch and inform ourselves, disrupt and disable if necessary. Our immediate objective must be to, first, erode the confidence adversaries now have in their ability to achieve and enable objectives. They are very confident. Second, we have to erode their confidence in their own capabilities. Third, we must erode those capabilities themselves. We are well past the post on this. We need a comprehensive, seamless, integrated strategy that pulls to get a greater resiliency, forward defense, and when necessary, countering and testing cyber activity to reverse current behavior. We are not at step one. We are well past that. We actually have to reverse behavior. Our security will rest on our ability to simultaneously anticipate how adversaries will exploit our vulnerabilities and how we can exploit theirs. Cyberspace is an interconnected domain of constant contact that creates a strategic imperative for us to persist. This is a wrestling match in which we have to grapple with who actually has the initiative, being one step ahead in both knowledge and in action. If we do not adjust to this reality, our national sources of power will remain exposed and more of those who wish to contest our power will pour into this seam. I, therefore, argue that we must make three critical adjustments. The first is we have to adjust our overall strategic perspective. War and territorial aggression, which can effectively be deterred, are not the only pathways for undermining our national sources of power. In fact, because we have this effective strategic deterrent, we should expect our adversaries to move into this new seam of strategic behavior below the threshold of war. Second, we must move our cyber capabilities out of their garrisons and adopt a security strategy that matches the operational environment of cyberspace. We must meet the challenge of an interconnected domain with a distinct strategy that continuously seeks tactical, operational, and strategic initiative. Third, we must make the fundamental alterations to capabilities development, operational tempo, decision-making processes, and most importantly, as Bob referred to, overall authorities that will enable our forces to be successful. We cannot succeed using authorities that assume territoriality and segmentation in an environment of interconnectedness, constant contact, and initiative persistence. We cannot secure an environment of constant action through inaction. Strategic effect in cyberspace comes from the use of capabilities and having the initiative over one's adversaries. It is time for us to seize that initiative. I look forward to explaining in more detail how we can pursue security through persistence during our Q and A. Thank you, Mr. Chairman. [The prepared statement of Dr. Harknett follows:] Prepared Statement by Professor Richard J. Harknett ``department of defense's role in protecting democratic elections'' The Subcommittee is concerned that, in the lead-up to the 2018 and 2020 elections, the Department and Government as a whole have not sufficiently deterred future interference, leaving our democratic institutions at risk to foreign intrusion. The Subcommittee is correct in its concern. The likelihood of foreign intrusion (not just Russia, but other revisionist actors as well) is high due to the nature of this domain. Cyberspace is an interconnected domain and yet all our approaches rest on a principle of segmentation, instead of seeking synergies of expertise. Our adversaries have figured this out. Cyberspace is a new Seam in international power competition in which strategic effect can be produced below the threshold of war and the reach of traditional deterrence strategies. We should assume as a starting point that adversaries will engage in cyber operations against our national sources of power, including economic wealth and social-political cohesion. If we do not actively engage these strategic cyber campaigns, we will suffer. We need a new strategy that rests on a seamless operational environment of 1) integrated resiliency, 2) forward defense, 3) contesting adversaries' capabilities and 4) countering their campaigns. Through this new strategy, we can actively erode the confidence that our adversaries have in achieving their objectives and in their capabilities. Over time this may produce a deterrent effect, but that can only be achieved through persistent efforts to seize the cyber initiative away from our adversaries. \1\ --------------------------------------------------------------------------- \1\ For more on persistence, see M. Fischerkeller and R. Harknett, ``Deterrence is Not a Credible Strategy for Cyberspace,'' Orbis 63 1 (Summer 2017): 381-393. --------------------------------------------------------------------------- In traditional great power politics, national sources of power were vulnerable only through direct violation of the territory upon which they centered. Thus, we came to equate strategic effects with war, and to narrow the central role of the state to promoting territoriality (its sovereign territorial integrity). The interconnected nature of cyberspace, however, means that now our national sources of power are vulnerable to manipulation without direct assault across territory. Strategic effects can occur without war through this new seam--and we should expect adversaries to explore it. We must contest this effort and seize back the initiative. In order for this to occur and positively affect the electoral cycle, we must position the Department to contribute to the defense of electoral integrity, protecting the vote and the voter. Electoral integrity cannot be protected by leaving civilians alone on the front lines. Are the roles and expectations of the Department clearly defined with respect to protecting U.S. elections process from foreign influence in the cyber domain? They currently are not sufficiently defined nor enabled. Most importantly, we must move away from 1) our ``doctrine of restraint'' \2\ that forces us to defend in our own space after the first breach is detected, and 2) away from the tendency o view every intrusion as a law enforcement problem first. Cyberspace is an interconnected domain of constant contact, which creates a structural imperative to persist. Persistence in resiliency, forward defense and countering is necessary because the analytical categories of offense and defense do not actually hold in this space--it is too fluid and dynamic. As former Deputy Director of the National Security Agency Chris Inglis put it: ``It's almost impossible to achieve a static advantage in cyberspace-- whether that's a competitive [offensive] advantage or a security [defensive] advantage--when things change every minute of every hour of every day. And it's not just the technology that changes; it's the employment of that technology; the operations and practices.'' \3\ --------------------------------------------------------------------------- \2\ Department of Defence, DOD Cyber Strategy (2015). \3\ Chris Inglis as quoted in Amber Corrin, ``Is Government on the wrong road with cybersecurity?, FCW: The Business of Federal Technology (May 21, 2013), https://fcw.com/articles/2013/05/21/csis- cybersecurity.aspx. --------------------------------------------------------------------------- Our protection posture must be moved as close to the sources of adversarial action and capability as possible so that we can watch, react, disable, and disrupt at a speed of relevance (defined as one step ahead of the adversary). We forward deploy in terrestrial space, where actual time and distance still matter for defense, so why do we hesitate to do so in the one domain where time and distance are crushed and cannot be leveraged for defense? Garrisoning our cyber forces has created a great disadvantage for us and invites opportunity for our adversaries. DOD is not on the front lines, which because of interconnectedness, are everywhere. We need to secure through a persistent pursuit of the initiative if we are to manage this new seam in international power competition. How can the Department use its national mission teams' offensive capabilities to improve deterrence? National Mission Teams (NMTs) can eventually produce a deterrence effect, but not by relying on deterrence strategy. Cyber strategic effects do not come from mere possession and the threat of employment, but from actual use. It is critical to differentiate between deterrence strategy and deterrence effects in answering this question because they get conflated too often. We can achieve a deterrent effect through other means than a deterrence strategy. Deterrence strategy rests on the prospective threat of punishment or denial to convince someone not to take an action. This dynamic cannot work in a strategic environment of constant action. Cyberspace is a strategic environment of initiative persistence (one can always find the willingness and capacity to get one step ahead). Our NMTs must be charged with eroding adversary confidence and deployed capability, not sit idle as prospective threats to impose costs in the face of cyber operations below the level of war. Cyberspace operations should be treated as a necessary national security activity and as a traditional military activity. Persistent erosion of confidence and capability will shape adversaries' behavior, over time, toward more stable norms. If we make the strategic effects sought by adversaries inconsequential, their penchant for attack may diminish--then we may get a deterrent effect (i.e., adversaries may determine it is not worth it to confront us). But we will not get there without allowing our NMTs to hunt, disrupt, disable cyber activities, and thereby seize the initiative back from our adversaries. We must understand this cyber persistent space not as an unstable escalatory environment, but rather as a fluid environment in which the initiative is always in play and we must seek initiative control. Is the Department's conception and implementation of deterrence sufficient? The Department's Cold War conception of deterrence does not map to the realities of this new strategic environment. Deterrence is an approach to security, not the approach. We cannot rely on a strategy in which the measure of effectiveness is the absence of action if we hope to manage an environment of constant action. The cost-benefit calculus an adversary may hold within cyberspace is never stable enough for us to be certain that our static deterrent threats are credibly influencing adversaries. There are always new and cost-effective opportunities for them to explore. They can constantly manipulate the data, networks, tools, and vulnerabilities that are coming on-line daily thanks to the efforts of malware developers and the innovations of the market. The cyber terrain to secure and the means to traverse that terrain are always changing. There is too much incentive and potential for adversaries to refrain from persisting in cyber activities below the level of war. In short, deterrence is a strategy reinforced by segmentation (borders/thresholds), sovereignty, relative certainty, and territoriality. Cyberspace by contrast is defined by none of those conditions; it is defined instead by its interconnectedness, constant contact, relative anonymity, and a lack of territoriality. Just as nuclear weapons precluded defense and necessitated deterrence, cyberspace below the threshold of war precludes deterrence and necessitates persistence. We must understand this space as a wrestling match in which we are in constant contact with the adversary and we are grappling to sustain the initiative through both our knowledge of what the adversary is likely to do and through our action anticipating what they wish to do. How should our posture be improved to combat the threat of future Russian interference? First, we need to build a posture focused not just on Russia, but on revisionist actors across the globe. We need to focus on the effects on our national sources of power we wish to prevent. To achieve this outcome, we need an alignment of forces, capabilities development, operational tempo, and, critically new authorities and decision-making processes that allow the Department to gain tactical, operational, and strategic initiative, continuously. We must operate in cyberspace globally and continuously, seamlessly shifting between defensive and offensive tactics to create an operational advantage--i.e., cyber initiative. By understanding our own vulnerability surface better than our enemies do, we can through resiliency and defending forward render much of their activity inconsequential. This can in turn help free our forces to focus on the truly consequential potential of strategic action below war, to disrupt and disable their cyber activities, creating enough tactical friction in our adversary's operations to shift their focus toward their own vulnerabilities and defending their own networks. This can produce a strategic effect for us. This will also require a new alignment with the private sector that makes a clear demarcation around protecting human speech. Bots cannot be afforded First Amendment rights. Trending on social media must reflect human majoritarian aggregation, and automated manipulation of that speech needs to be examined in our public policy. The Department should be enabled to disrupt foreign attempts at technical manipulation. 2016 was the Stone Age relative to the sophistication of cyber activities we are likely to see. Before the next presidential election, for instance, we will lose the capacity for audio-visual authentication due to Artificial Intelligence manipulation. We need policy changes to make the Department's capabilities more relevant to the private sector's defense. What can the Department do to close the gaps--across the Federal Government and between state and local governments--that inhibit the protection of election infrastructure? First, it is critical to recognize that there are gaps and that our adversaries are likely to engage in operations that exacerbate them. These gaps exist in the authorities, roles and responsibilities that we have put in place for protecting the voting infrastructure, and exist in the absence of a plan for protecting the information space so that the competition of election campaigns can be conducted fairly by Americans. Based on open source reporting, most State election boards have not prioritized security based on open source reporting and we have not aligned with the private sector social media platforms to produce a coherent plan of how Department resources could contribute to the nation's defense. Our current policy framework essentially rests on a reactive context. The Defense Support to Civil Authorities has not been construed in a proactive and on-going context of defense, which is what is needed to map to the realities of cyberspace. We cannot succeed with an emergency management/disaster relief/crisis framework that places us on the back foot and relegates action to `cleaning up on aisle nine.' We need to consider authorities that allow DOD, DHS, and our intelligence community to employ a coordinated strategy of cyber persistence as described above. If one considers the approaches emerging among all of our allies, particularly the British, Germans, Australians and Israelis, they are all moving toward increased policy and organizational coordination and synergy. They understand that the answer to the challenge of interconnectedness is not segmentation of roles, responsibilities, and authorities but synergies across pockets of expertise. The policy framing question you should ask yourselves in every discussion you have is whether the policy under question advances synergy or segmentation. If it is the latter it should be rejected; if it is the former it should be explored. Right now our approach to defending our electoral integrity rests on the principle of high segmentation. That will expose us to clever adversaries moving forward. Senator Rounds. Thank you, Dr. Harknett. Dr. Sulmeyer? STATEMENT OF DR. MICHAEL L. SULMEYER, DIRECTOR, CYBER SECURITY PROJECT, BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS, HARVARD UNIVERSITY Dr. Sulmeyer. Thank you, Chairman Rounds, Ranking Member Nelson, and distinguished members of the subcommittee. It is an honor to be with you today. Before I get to the military's role, however, I would like to note that I am part of a team at the Kennedy School's Belfer Center that released a report a couple hours ago. It is a playbook for State and local election administrators, and it has got steps they can take to improve the cybersecurity of systems that they administer. It is based on field research by a wonderful research team. Many, many students contributed. I am very lucky to have one of the wonderful students here with us today. Corina Faist has flown down to join us. So regardless of the role of the Department of Defense, these defensive improvements are essential. I want to make sure I hit that right up front. Those recommendations that we put out today complement our last playbook for political campaigns to also improve their cybersecurity. It is essential that we make our elections harder to hack and that we improve resiliency in case critical systems are compromised. But we should also consider how best to counter threats abroad before they hit us at home. So let me transition to how I see some potential roles for the military outside of the United States to protect our elections. There are two necessary conditions of posture that I see as critical: reconnaissance posture and force posture. First, reconnaissance posture. Our cyber mission forces should constantly conduct reconnaissance missions abroad to discover election-related threats to the United States and provide indicators and warnings to our forces and decision- makers. There will never be sufficient resources to address all threats equally, so prioritizing threats to our democratic processes is critical. Otherwise, we cannot hope to disrupt these threats. On force posture, our forces must be sufficiently ready to strike, strike against targets abroad that threaten our elections. Readiness is a critical issue for our armed forces today, and I would encourage Senators on this subcommittee to ensure they are asking tough questions about the readiness of our cyber forces just as they would about any other part of our military. If the military's reconnaissance and forces are postured to focus on threats to our elections from abroad, there are four objectives that I think our forces should be prepared to pursue. It should go without saying that undertaking these actions should be consistent with international law and other relevant U.S. commitments. Those objectives are: first, preventing attacks from materializing; second, preempting imminent attacks; third, halting attacks in progress; and fourth, retaliating, if necessary, after an attack. On the fourth, let me just note I would emphasize that this retaliation needs to be timely. It has got to be timely since the more time that elapses after an adversary's initial attack, the harder it will be to message and communicate that our action is a direct response. Across those objectives, proper training, thorough rehearsals, and coordination with other parts of our government are essential. Bringing military capabilities to bear inside or outside of cyberspace is always a serious matter, so it is critical to ensure that rules of engagement and questions about authorities are settled well in advance of any order to strike. Here, I would note that some of our closest allies like the United Kingdom and Israel have undertaken some national-level organizational reforms to streamline responsibilities for cyber issues. We may at some point want to consider something similar here. One of the best cyber-related investments the Nation has made is in the national mission force, an elite group of network operators at Cyber Command. They defend the nation from an attack of significant consequence in cyberspace. I think it is very much worth considering what role the NMF [National Mission Force] can play to accomplish the objectives I described just now. I might note for Senators that I have not discussed deterrence much so far. I very much support calls to deter our adversaries from meddling in elections. Do not get me wrong. However, I would not want to bet the cybersecurity of U.S. elections on a policy of deterrence if I did not have to. Sometimes, like the prospect of defending against thousands of nuclear-tipped missiles, deterrence is the least bad option. That is not the case in cybersecurity. We have other options, like the ones I described just now, and we should employ them alongside strong policies of deterrence. Finally, I would just note that information derived abroad from reconnaissance should be shared with relevant parties at the State and local level. I want to commend the Department of Homeland Security for working hard to promote information sharing over the last few years. I would also like to encourage more thinking, especially among my colleagues in academia, to help Congress protect itself since Congress is so critical as a part of our democratic process, not just work accounts but also campaign accounts, personal accounts. These cannot be left vulnerable. That concludes my prepared testimony. I look forward to taking your questions. [The prepared statement of Dr. Sulmeyer follows:] Prepared Statement by Michael Sulmeyer Chairman Rounds, Ranking Member Nelson, and distinguished members of the committee, it is an honor to be with you today. The need to protect the foundations of our democratic system is of vital importance, and there are several potential roles the military can play. I am proud to be part of a team at the Belfer Center that is releasing a new report in the coming days: a playbook for state and local election administrators with steps they can take to improve the cybersecurity of the systems they administer. Regardless of what roles the Department of Defense assumes, these defensive improvements we recommend are essential. These 10 recommendations reflect months of fieldwork by the research team, including several exceptionally talented students. They are: Create a proactive security culture, Treat elections as an interconnected system, Have a paper vote record, Use audits to show transparency and maintain trust in the elections process, Implement strong passwords and two-factor authentication, Control and actively manage access, Prioritize and isolate sensitive data and systems, Monitor, log, and backup data, Require vendors to make security a priority, and Build public trust and prepare for information operations. These recommendations complement our last playbook, which contained recommendations for political campaigns to improve their cybersecurity. Both reports can be downloaded from our website, belfercenter.org. It is essential that we make our elections harder to hack and to improve resiliency in case critical systems are compromised. Bolstering federal capacity to provide the kinds of support that state and local administrators request should be a priority. In addition to improving defenses and becoming more resilient, we should also consider how best to counter threats abroad before they hit us at home. To that end, let me transition to how I see some potential roles for the military in protecting our elections. I will focus my remarks on roles that the military could play outside of the United States. There are two necessary conditions of posture that I see as critical: 1. Reconnaissance Posture: Our cyber mission forces should be constantly conducting reconnaissance missions abroad to discover election-related threats to the United States and provide indicators and warnings to our forces and decision-makers. There will never be sufficient resources to prioritize all threats equally, so prioritizing threats to our elections and our democratic processes is crucial. If we do not prioritize collecting information abroad about election-related threats, than we cannot hope to disrupt them. 2. Force Posture: Our cyber mission forces must be sufficiently ready to strike against targets abroad identified by reconnaissance as threats to our election. Readiness is a critical issue for our armed forces today, and I would encourage the Senators on this committee to ensure they are asking tough questions about the readiness of our cyber mission forces just as they would about any other area of our military. Our forces must be ready to create different effects against a range of targets. Sometimes, they will not have much notice, so developing tactics that can be employed on the fly is important. If the military's reconnaissance and forces are postured to focus on threats to our elections from abroad, there are four objectives that our forces should be prepared to pursue. It should go without saying that undertaking these actions would need to be consistent with international law and other relevant U.S. commitments. 1. Preventing Attacks from Materializing: Based on election- focused reconnaissance, U.S. cyber mission forces should develop options to disrupt the activities of those planning to meddle in our elections, and those who are in the early steps of doing so. Because these would be actions conducted by U.S. forces with a relatively long lead time, scenario-based plans should be developed and socialized with decision-makers so they are aware of the viability, risks, and benefits of different options. 2. Preempting Imminent Attacks: Reconnaissance abroad may provide indicators and warnings of an imminent cyber attack against election- related infrastructure, campaigns, and media and social media platforms. Our forces can prepare to neuter those attacks before they commence. Such actions would need to be undertaken rapidly as opportunities to strike may be fleeting, so developing options in advance to deliver effects promptly when so ordered is essential. 3. Halting Attacks in Progress: There may be situations when an adversary has already established access to a system, is in the process of denying access to data by legitimate users in the United States, or is already conducting operations to inject misinformation or steal information. In these cases, our cyber forces should provide options to decision-makers to disable these attacks by taking actions outside of the United States at the source of an attack. 4. Retaliating after Attacks: If the United States suffers an attack on its election infrastructure and democratic processes, policymakers may request options to respond in a timely manner. I would place emphasis on timely retaliation, since the more time that elapses after the adversary's initial attack, the harder it will be to communicate that our action is a direct response to that attack. Across all of these objectives, proper training, thorough rehearsals, and coordination with other parts of our government are essential. Bringing military capabilities to bear, inside or outside of cyberspace, is always a serious matter, so making sure that rules of engagement and questions about authorities are settled in advance of any order to strike is critical. Here, I would note that some of our closest allies like the United Kingdom and Israel have undertaken some national-level organizational reforms to streamline responsibilities for cyber issues. We may at some point want to consider something similar. I always appreciated how the Armed Services Committee has been a champion of supporting the Department of Defense's cyber mission force. Through the last several National Defense Authorization Acts, this committee, and its counterpart in the House of Representatives, has empowered Cyber Command with unique authorities and has engaged in necessary civilian oversight. One of the best cyber-related investments the nation has made is in the National Mission Force, an elite group of network operators under the command of the Commander of U.S. Cyber Command. According to the 2015 DOD Cyber Strategy, their mission is to defend the nation from a cyber attack of significant consequence. I think it is very much worth considering what role the National Mission Force could play to accomplish the objectives I described. Senators might note that I have not discussed deterrence in this testimony. I very much support calls to deter adversaries from meddling in our elections. However, I would not want to bet the cybersecurity of U.S. elections on a policy of deterrence if I did not have to. Sometimes, like the prospect of defending against thousands of nuclear- tipped missiles, deterrence is the least bad option. That is not the case in cybersecurity. We have other options, like the ones I described previously, and we should employ them alongside deterrence. Let me conclude with one final proposal for the military: when possible, relevant information derived from the reconnaissance it conducts should be shared with relevant parties at home. At times, some of this information may be useful to officials at the state and local level. I want to commend the Department of Homeland Security for working hard to promote information sharing over the last several years, and more recently to provide clearances to state officials so they have greater access to important information. That concludes my prepared testimony. I look forward to taking your questions. Senator Rounds. Thank you, Dr. Sulmeyer. First of all, let me thank all of you for some great insight, and I look forward to your thoughts in terms of the questions that we ask. What I would like to do is to do what we call 5-minute rounds here. We will alternate back and forth. Then after we have done that once through, if we have time, I would go back through and do a second round depending upon the amount of time that we have and whether or not other members come. Let me begin with mine. I am going to start with Dr. Harknett. You have written that restraint and reactive postures are not sustainable, that the United States needs a strategy that capitalizes on the unique attributes of the cyber domain. You have called for a strategy of cyber persistence where we are constantly engaged with our adversaries seeking to frustrate, confuse, and challenge. How would your strategy calling for persistent engagement apply in the Russian meddling with our election as an example? Should this involve us contesting the malicious behavior at its source? What do you believe are the consequences of our failure to respond in cyberspace to the Russian election interference? Because, number one, we have got to be able to provide attribution to where it is coming from, and hopefully we have got that completed. But give me your thoughts on it. What would you say would be an example of persistent engagement with regard to what they have done already and what we expect them to do? Dr. Harknett. Thank you, Senator. So let us think about the Internet Research Agency. Right? I mean, we know about this center in St. Petersburg. We know that it controls a series of automated bots that are driving particularly well conceived information operations that are meant to be divisive. I do not know why we are according or why we should accord First Amendment rights to bots. It is not a free speech issue. If we have evidence of foreign manipulation, technical manipulation, of the social media space, that is not what the American people, from an educated standpoint, actually understand is coming at them. They think that this is a majoritarian aggregator trending. It is telling me, hey, this is where everybody is going. But if that trend is being driven by automated foreign intrusion, that is not an issue over free speech. That is an issue of direct foreign manipulation. I agree with Dr. Sulmeyer. We need to have the reconnaissance, to your point about attribution. That is what persistence enables you to do, to start to get better at attribution. But we need to be able to move at the speed of relevance. So if in fact those bots are hitting us in a particular trend that is meant to be divisive, we should be able to have the capacity to at least disrupt if not disable that capacity. So we do know where some of these capacities lie. By being persistent in our reconnaissance, we will get a better understanding of what our vulnerability surface is. We have to think about it that way. We tend to think about an attack surface. That is from their perspective. We have to get a better handle on what our vulnerability surface is. By being able to understand where our vulnerabilities are and anticipate where their capabilities map to that, again, a product of being persistent in this space, we can start to take those capabilities away. Senator Rounds. Dr. Sulmeyer, do you agree with that? Dr. Sulmeyer. I do. I agree with the vast majority of what my colleague, Dr. Harknett, just said. For me, even just to get a little more specific, the kinds of options that I would want to be seeing presented need to allow decision-makers some flexibility from lower-level actions like denying troll farm access to compromised infrastructure, to deleting some accounts, to erasing some systems if it comes to it. It is too important to take options off the table ahead of time. So as long as the option space is kept open, we can do it persistently or less persistently, but a wide range of options. Senator Rounds. Mr. Butler, your thoughts? Mr. Butler. I agree with both Michael and Richard on this. I would say that we need to be asymmetrical in our response. So I am a big believer in botnet disruptions and taking down bot infrastructure, as we just saw with Levashov, but we need to do that in a continuous way and that is a symmetrical response. I think if you look at the Internet Research Agency in St. Petersburg, they are coupled to the Kremlin. You need to have an information operations counter-influence campaign where you begin to cut the funding and cut the support enablers behind that infrastructure. So we need to think about things differently. It should not be cyber on cyber, social media on social media. It has got to be a broader campaign. Senator Rounds. Ms. Conley? Ms. Conley. Yes. I will agree with absolutely the asymmetrical response. While trying to bring down the infrastructure of those bots, what they are doing, though, Russia exploits the weaknesses that it finds. So it is amplifying the weaknesses and divisions that are already appearing on social media. So how do we try to reduce the weaknesses? This, again, gets back to the critical importance of exactly what this committee represents, the bipartisanship, fact-based, and getting to communities through a variety of methods to help inform the American people so when they see a trending site, let us look at that. What is underneath that? The only way we can really stop this from changing hearts and minds among the American people is helping them discern what is coming. We can do everything we can technologically to eliminate it. But the other part is just missing. We are not educating. On the asymmetrical sanctions, my frustration--and I am sure many on this committee as well---- Senator Rounds. I am going to ask you to shorten it up because my time has expired. Ms. Conley. Absolutely, sorry about that. Is to think about ways that we can focus on the Kremlin, on financial sanctions, on sanctioning the inner circle as ones attributable back to that, so not just in the cyber domain, focusing on financial sanctions and individual sanctions. That could be very powerful as well. Senator Rounds. Thank you. Senator Nelson? Senator Nelson. So all of you sound like that you just do not think enough has been done and that we are not ready. Dr. Harknett, you have said that 2016 was the Stone Age compared to what is going to happen. So do you want to trace what you think will happen? Dr. Harknett. Well, one of the things, back to the chairman's question about whether the lingering effects, is again we have got adversaries who are confident. There are other actors aside from Russia out there as well that are going to look at this space and say, hey, this is a space that I can play in and I can work in. Until we start to reverse that confidence, we are going to see greater experimentation. Technologically, I will give you one example, Senator. My concern with regard to leveraging artificial intelligence and machine learning. I mean, this will be a step function, thus my Stone Age allusion, from where we are. We are going to--within the next 16 months, I am going to be able to take you and put you in a video in which you are saying something that you never said in a place that you have never been, and you are not going to be able to authenticate that you were not doing--that you had not done that and not been there. Just think about that as a tool for an adversary who wants to engage in disruptive social cohesion types of information campaigns. Senator Nelson. Right. Dr. Harknett. That is around the corner. Senator Nelson. So, Ms. Conley, given that, you have already said that you do not think we have taken any positive proactive steps. Why do you think that is the case? Ms. Conley. I think the executive branch refuses to recognize the threat. It refuses to put forward a national whole-of-government, whole-of-society strategy and bring all the agencies and tools of influence to bear on this. We have to think of this as a direct threat to the national security of this country. It has to receive the priority. Also, to focus on what Dr. Harknett said, this is adaptation. If we are preparing for what Russia did in 2016, it will be very different in November. It will be very different in 2020. It will look more American. It will look less Russian. This is adaptation. We are already fighting the last war. We are not ahead of the new one, which is why I think education is so critical, that absent a U.S. Government approach, we are all going to have to do our part in our communities to inform the American people about the threat. It is unfortunate we cannot pull together and do this in a unified way. Senator Nelson. So if we cannot get the Government to move, are there any private initiatives that would help? Ms. Conley. What I am seeing is some very effective news literacy campaigns. I think, again, news sources, social media are doing fact checking. The pressure that Congress has brought to bear on the social media companies is changing their perspective. But, again, we are so late to need. This has been ongoing. This campaign is only intensifying, and we are just getting our arms wrapped around this. So this is where every Member of Congress has to return to their home district and talk about this in very clear ways. Senator Nelson. Amen to that. Dr. Harknett, on the example that you gave of the next level of technology, of which something can be created that looks real, acts real, feels real, et cetera, if Cyber Command were to adopt your thinking, knowing what the threat is even greater in the future, what would you suggest that they change the way that they are doing their operations? Dr. Harknett. I think it is very important to expand this notion of defending forward, this notion that we need to be as close to the source of adversarial capability and decision- making as possible. This is not a space in which time and geography is leveragable for defense. So when we think about the notion of front lines, the front lines are everywhere. Right now, our general approach has been to defend at our borders, at our network, which actually means that we start defending after the first breach, and we are already playing catch-up. So I concur with the notion of adaptability here. It is all about anticipation. So when Bob Butler talks about asymmetric, that is what I would talk about in terms of being able to be one step ahead. We have to be able to anticipate the exploitation of our vulnerabilities. You need to be able to be defending as far forward as possible. In terrestrial space, we defend forward. We are not defending forward in cyberspace right now. Senator Nelson. Thank you. Senator Rounds. Senator Gillibrand? Senator Gillibrand. Thank you, Mr. Chairman and Mr. Ranking Member, for having this hearing. Thanks to all of you for your testimony. I agreed with a lot of it. So to Professor Harknett, I appreciate your effort to redefine cyberspace and the challenges we face in operating within it. Were Russia to have bombed one of our States rather than attacked our election infrastructure, we would treat it just like an attack, as you said. But because of the way in which we set up our cyber capabilities, which we have done for good reasons, including privacy and States rights, it seems to me that the DOD is hamstrung in trying to properly respond to an attack on our democracy. I have asked this in many settings, and every single time they said it is not our job. So you argue that we need to consider authorities that allow DOD, DHS, and our intelligence community to employ a coordinated strategy of cyber persistence and recommend looking at approaches emerging among all of our allies. Can you expand on what kind of authorities we should be considering and what we might learn from our allies? I ask this because I have put this question to the Department of Defense in every setting we have had, any conversation about cyber, and every response is we do not have the authorities and the States rights issue. It is not our job. I cannot, for the life of me, understand why they do not see it as their job because if another country bombed any one of our States, then that is a declaration of war and we would have responded from the military. We are not doing that in this regard, and it seems really off-putting to me. Their response is often, that is Homeland Security's job. They can call us if they need us, but they have not. I understand why that is probably not the case because a lot of secretaries of state in a lot of States think it is their job, not anyone else's job, and they do not want to relinquish that control. So I would like your suggestions on how to write the authorities that you think are necessary, but also I have really tried to push National Guard as a possible place where this can be done because the National Guard already serves the States. They are already under control of the governors. So why not amplify what we are already doing with our National Guard and Reserve to give them the expertise in cyber but actually delegate this mission specifically to them in conjunction with all the other assets in the military? So to all of you, you can answer this question. You start, Dr. Harknett, since you addressed it a little bit in your opening remarks about what authorities can we give. How can the National Guard be useful, and how do we get this done? Because it is frustrating to me that we are not doing it. Then just a third thing to add to your answer. I do have a bill with Lindsey Graham to do a 9/11 deep dive style analysis of the cyber threat to our electoral infrastructure. It is a bipartisan bill. You know, whether we ever get a vote on it, I will never know, but that would be a great first step in my mind to at least just get a report and say these are the 10 things you need to do to harden our infrastructure. So maybe comment on those three ideas. Dr. Harknett. Thank you, Senator. You mentioned our allies, and I think Michael had some work that he has been doing as well analyzing them. I think if you look at the UK [United Kingdom], for example, you look at the Israelis, you look at the Australians, their first default in cyberspace is to ask how do we find synergy, not segmentation. Our entire approach to this space has been starting with who has divided roles and responsibilities. So I think we can learn something from our allies right now in terms of their orientation to trying to find synergy rather than segmentation. That should be our first policy framework question. But in terms of authorities, I think there is a false debate, say, for example, between 10 and 50. So when I argue for a seamless notion, I am suggesting that we understand title 10 and title 50 as actually mutually reinforcing, not defined as, again, segmentating. They segment in Congress in terms of oversight, and I get that, but they do not segment in operational space. We should actually understand and reinterpret, I would argue, those authorities to emphasize where a synergy and where there is seamless reinforcement rather than looking at those authorities as something that divides and puts us into different lanes. In terms of the National Guard, I think the cyber protection teams and force type of an approach would be appropriate. We need to get at this, Senator. So if that is the best mechanism, there is expertise at that level. Ms. Butler has talked about leveraging our private sector. Through National Guard, as well as Reserve, we have a capacity. If you look at the Brits, they are looking at cyber civilian reserve force. I think that is another interesting way of thinking about this. So ultimately if we need to do a deep dive, I think we do. Right? I think we have authorities that are structured for a terrestrial space that do not map to the realities of this human-made interconnected space. Authorities are what we should do last. We should figure out what our mission is. We should develop the organizations to pursue those missions, and then we should authorize them to do it. I would submit to you that one of the major problems that we have faced is we have been continually trying to shoehorn our cyber forces into existing authorities and working backwards from the way we should be working. Senator Gillibrand. Ms. Conley? Ms. Conley. Senator, I think the National Guard is an area that we absolutely should explore, and I mentioned it in my written as well as far as education, bringing together DHS, DOD, working with community leaders at the State and local level. On the 9/11 Commission style, cyber is critical pillar of this, but it transcends it as well. We need to look at Russian economic influence. We have to look at a whole range not just of Russia as the adversary but other adversaries that will use cyber disinformation and economic. So please broaden that out. They will find any seam, State, federal, First Amendment, privacy. That is where they will be, and that is why we cannot get locked into those seams. Mr. Butler. Senator, I take it from two different angles. One is clean-sheet everything. What do you want to do? Let us refocus the authorities. Catherine Lotrionte's work here in looking at countermeasures is a great example of that. Her legal interpretation of the Tallinn Manual is very different than what most people are saying these days. The other thing is I am involved in exercises where I am blending physical and cyber together and looking at what we can do with physical authorities in cyberspace. So I am working with the Army Cyber Institute on an activity where we have a natural hazard and a nation state actor is manipulating inside of it. How do you get a rolling start? You can use our authorities. The military has the ability to use an immediate response authority to create a rolling start. We need to leverage. We need to reinterpret and leverage these kinds of things as we go forward. A part of that is the National Guard Bureau. We have unevenness within the stand-up of our National Guard activities both in the air and now with the Army. We have both cyber and information operations. I think we could create pockets of talent. I mean, Washington State has a phenomenal industrial control system security unit. Maryland has a fantastic unit where they leverage a lot of NSA [National Security Administration] expertise. We have got units spread around the country. We need to create a construct of cyber mutual assistance across boundaries, across State borders. Again, I think we can do that. We have just got to sit down and plan together a campaign in that regard. Senator Rounds. While the Senator's time has expired, if you could expedite your answer, we will let you finish up as well, sir. Dr. Sulmeyer. I will go real quick. I support all the goodness just said. Abroad, I do not believe the kinds of activities I described earlier need new authorities. On the deep dive, I would say great. The Belfer Center's work over the last year has tried to get a start on that. So we hope we can be of support. On coms and education, there is a part of me that wonders if that by saying ``cyber,'' the response is help desk. By not describing it in a way about warfare and propaganda and foreign influence, we do a disservice to the real problem. Thank you. Senator Rounds. Senator Blumenthal? Senator Blumenthal. Thank you, Mr. Chairman. I want to thank all of you for being here. I am very familiar with the work done by the Belfer Center in particular, and thank you all for the work that is done by each of your organizations. I want to first tell you--you probably already know--that the immediacy and urgency of this task was reinforced this morning before the Senate Intelligence Committee where Dan Coats, the Director of National Intelligence, said, ``There should be no doubt that Russia perceives its past efforts as successful and views the 2018 midterm elections as a potential target for Russian influence operations.'' That statement would be beyond conventional wisdom. It would be unnecessary to state because it is the consensus of our intelligence community. It has been broadly accepted by everyone except the President of the United States. In my view that is the elephant in this room, that the President refuses to acknowledge this threat to our national security. So I put that on the record simply because we can propose all the great ideas in the world. Some very good ideas, as a matter of fact, came from a report done by the Senate Foreign Relations Committee. It is a minority report by my colleague, then-Ranking Member Senator Cardin, called, ``Putin's Asymmetric Assault on Democracy and Russia and Europe Implications for United States National Security.'' It makes some very good proposals. I would be interested to see the Belfer Center's release today, and in fact, without even having seen it, Mr. Chairman, I ask that it be made part of our record. Senator Rounds. Without objection. [The information referred to in Appendix A.] Senator Blumenthal. But I think we need to make progress on gaining acceptance at the highest levels of the United States Government--let me put it as diplomatically as possible--for the proposition that Russia attacked our democracy. In my view it committed an act of war. They are going to do it again unless they are made to pay a price for it, and that includes enforcing sanctions passed overwhelmingly by this body 98 to 2, still unenforced. So the talk about retaliatory measures in real time, Dr. Sulmeyer, I think is very well taken. But why should the Russians take us seriously when the President denies the plain reality of their attacking our country and the sanctions that would make them pay a price are still unenforced? All of that said, I want to raise another topic, which I think so far has been untouched, the social media sites, Facebook, Google. Let me ask each of you if you could comment on what their responsibilities are and how they are meeting them in this disinformation, propaganda campaign using bots and fake accounts which have been appearing on those sites. Mr. Butler? Mr. Butler. I think, Senator, the response--and I have talked with a couple of the web-scale companies about this--is aligning with what we have already seen in the counterterrorism fight. In that space what you see is them actively, proactively looking for disinformation, in the case of terrorism, of course, looking for recruitment. I think the challenge is guidance with regard to counter-narratives or alternative narratives in that space. That needs to be done with others. But I think that is where we need to head. They have the ability based on their reach and their fusion engines to really help us move much more quickly into active defense in this space and not just to do it from a cyber perspective but from a counter-influence perspective which I think is so critical. Senator Blumenthal. Thank you. Ms. Conley? Ms. Conley. Thank you, Senator. I would just note that building the awareness of what Congress has already done to force the social media companies to really take a very deep look at this has been very helpful. I would suggest to you that I think Russia will adapt their tools, that this will look more and more American, which will get more and more into First Amendment issues because that is a weakness to exploit here. So what I would commend, in the interest of being ahead of the curve and not behind it, is we start looking at how social media engines can start detecting what looks like it is American origin but it in fact is not. So that would be the next step I would recommend. Senator Blumenthal. Thank you. Dr. Harknett. I think we have to move away from a partnership model, to be perfectly honest with you. We have been talking about a public-private partnership for 25 years. I published about this 25 years ago. The problem is that partnerships require shared interest in the beginning of the morning. The private sector has a very specific interest: profit making. The state has a very specific interest: security providing. We should recognize and grant that they have a different interest. We need to move us to an alignment model. How do we structure incentives within the marketplace for them to achieve their primary objective, which is profit making, while producing an effect that the state requires, which is enhanced security? Until we actually start to think about how can we shape and incentivize that behavior and recognize that we actually have very different interests in this space--I mean, that is Strava fitness band company a few weeks ago produced a heat map that exposes all of our forward-deployed troops. I would submit to you that nobody at their board meeting, when they came up with this really great idea of releasing that heat map--and they said, look, our stuff is in the real dark places, and they thought that was really cool. Ten years ago, the intelligence capacity that a state would have had to have found all of our forward-deployed troops--think about that. This was produced by a fitness company. There are non-security seeking, security relevant actors in this space. That is the way we have got to think about them. Let us meet them on their grounds and start to get them to align towards the security needs that we have. Senator Blumenthal. Thank you. Dr. Sulmeyer. Briefly I would just note the interests are not aligned, and that is really the most essential part and to not treat them all the same. Not all the companies have gone through the same amount of self-reflection. Some have not; some have. We should be honest about that. Finally I do not think we should limit this to social media companies. There is a lot of companies up and down the stack, a lot of different types of people on the Internet who have an interest in this type of work. Senator Blumenthal. Thank you all. I apologize, Mr. Chairman. I have gone over my time. Senator Rounds. What I would like to do is another round. Okay? Let us do it this way. Let us do one more round so that everyone has an opportunity. We will make it 5 minutes. I would simply say that for those of us up on this end--and I went over as well--let us phrase it so that when we hit the 5 minutes, whoever is final speaking on it will have their--that will be the last one and we will move from there. So with that, let me just begin with this very quickly. Right now, we are looking at changing our hats, our dual hats. Right now, within the cyber community, we have a dual-hatted individual for both title 10 and title 50 operations and so forth. We are looking at separating those into separate items: title 10 one side, title 50 on the other. The cybersecurity side would be separated out from the NSA side and so forth. We had a lot of discussions over it. We were concerned at first that they were going to go very, very rapidly. Now there is the discussion about whether or not moving in this particular way is quick enough. I just want to know your thoughts about whether or not we are actually approaching the challenges that are facing us in the right way with regard to the organization of government as a whole. Can I just very quickly go across and just ask each of your thoughts about whether or not we are moving in the right direction as to how we are arranging so that we can respond to these types of threats? I will begin with Mr. Butler. Mr. Butler. Thank you, Senator. Let me start with the CYBERCOM/NSA issue. My sense is we are at a point where we have got enough of the infrastructure developed to really work within Cyber Command, that we are not as dependent as we once were on the National Security Agency. I think the other part of this is as we move forward with the kinds of influence strategies that we are talking about, we need to have a way of checking and understanding whether it is working. We need an activity that understands this space that can help Cyber Command make adjustments along the way. So I support the split and support where we are trying to go as we move forward. As we take a look at those two elements and we put it into a larger DOD IC [Intelligence Community] and whole-of-government, whole-of-America construct, I go back to what I put in my written statement. I think from my perspective, having been through this both in uniform and doing information operations campaign planning and where we are today, we need to get the best of America into this space. There is a role for DHS. The FBI is very engaged. There is a role for the Department of Defense that goes beyond the National Guard Bureau that ties in with the intelligence community. There is a role for trusted private sector partners in this space. As a matter of fact, you cannot scale without it. So I think we have to align. Senator Rounds. Thank you. Ms. Conley? Ms. Conley. The organizational structure gets to the reason why we needed a comprehensive 9/11-type commission because we are horribly structured for this particular challenge. It falls within the streams of law enforcement, intelligence, defense, education, awareness, and that is why we need a deeper dive to get to a reconfiguration. Just as we did after 9/11 with the DNI and DHS, we restructured ourselves. We need to do that again. Senator Rounds. Thank you. Dr. Harknett? Dr. Harknett. I fully concur that we should do that deep dive, and I would urge us to reconsider the split of the dual hat. I know that that is not the current view. This notion of my litmus test. Are you producing more synergy or are you producing more segmentation? There is not one of our allies that is moving in that direction. Senator Rounds. Let me just ask one question on that very quickly because one of the items was is that we know that on the title 50 side, on the NSA side, they love to be deeply embedded and they do not want to be seen. There is a real concern out there that if they actually actively and more persistent that they are constantly being seen, that that interrupts their capabilities to be the intelligence gatherers that they are. How do we then allow for that constant and persistent activity if they have the same concern about they would really rather not been seen? They just simply want to be the deep ears for us. Dr. Harknett. So I think having the dual hat enables that kind of determination to be made. The sensitivity of both when and where we are going to make certain tradeoffs and where that seamless between intelligence and---- Senator Rounds. But it is not working today. Is it? Dr. Harknett. No. I think it can. I think it can, sir. Senator Rounds. But we do not have evidence. Dr. Harknett. But if you look at our adversaries, why are they not worried about burning capabilities? Why are they not worried about--we have had a high-end right kind of focus to all of this both in the recon phase and in the force phase that I think has actually been distorting of this space. Senator Rounds. I am going to move over very quickly because Dr. Sulmeyer has been shorted each time around here. Dr. Sulmeyer. You always pick on the Harvard guy. [Laughter.] Dr. Sulmeyer. I think we are back to different interests. The two different institutions have matured and now they have different missions, different jobs to do. The current structure, what you can say for it, is very efficient decision- making because it is one person who makes the decision. I think it is time, though, for two different and for an adjudication to be made for which priorities are going to take precedence each time. Senator Rounds. Thank you. Senator Nelson? Senator Nelson. But until we evolve into that new structure, we are stuck with what we have. We set up these Cyber Command national mission teams to disrupt the Russian troll farms, the botnets, the hackers, all engaged in attacks on our democracy, re the elections. We can identify them, the infrastructure they use. We can identify their plans, their operations. We can do everything that we can to stop these activities, but if you do not do anything, it is not going to happen. Until the existing structure that we have--the Secretary of Defense walks into the room and says, boss, and his boss is the commander-in-chief--until he says, boss, we have got to act, nothing is going to get done. So are we describing a situation that we are defenseless in this 2018 election? Mr. Butler. My sense, sir, is no. My recommendation is, in the homeland defense mission of the Department of Defense, we should stand up a JIATF [Joint Interagency Task Force] and move forward as we begin to move to another level, which would be a national security task force. But in the interim, this committee has jurisdiction. The Secretary has prerogatives to set up a JIATF in support of homeland defense. This is a homeland defense issue. Dr. Harknett. I would just add one. I think it is a defend the nation issue. Senator Nelson. I think you are right. I think this is as clear an attack on the country as if you lobbed a missile or if you lobbed an artillery shell. Senator Blumenthal wanted to ask the question. One of you had stated that it is going to morph into where the attacks are going to look more American. Would you expand on that, please? Ms. Conley. Senator, that was me. It is in part from some of the lessons we learned from the French presidential election. The last cyber attack, which happened within the last 24 hours of the campaign--it was a combination of both hacked emails from Macron's campaign, as well as made-up messages, and it was all mixed in between. What we understand--and I do not have access to classified briefings from our French colleagues--where the source came from looked like it was coming from the United States, from United States organizations. Some of this is tied into adaptation where they do not want it to look like a Russian bot. They do not want it to look Russian. They wanted to originate from other sources to confuse and make attribution questionable in those last few moments. So my intuition tells me that more and more of these attacks will look like they are coming from America. It will obscure attribution, and then people will say this is their First Amendment right to say these things and put forward these--that is the problem. Senator Nelson. How did the French counter that? Ms. Conley. Well, very gratefully, the French have a very unique--they have a blackout period 24 hours before an election. It is a reflection period. Because the French Government and intelligence agencies had made very clear repeatedly and publicly that this was likely to happen, French media were very responsible. They could not fact check the material in time. The reflection period would not move forward. In fact, that last major attack was really thwarted because both of a law but also a lot of French proactive steps to inform their public that this could happen. Senator Nelson. That was in the last 24 hours before the French election. Ms. Conley. So what had happened, it was the presidential election debate between Marine Le Pen and Emmanuel Macron. It was the Wednesday before the election on Sunday. In that debate, she began to hint that there may be some information about potentially Mr. Macron's overseas bank accounts and sort of hinted at this. Then about 24 hours later, the document release happened. So one could speculate that there was some coordination. But because it hit so late, it really did not have the impact. But, again, responsible media, Government warnings, and the reflection period all prevented something that, if it would have happened 72 hours before, may have had a different impact on that election. Senator Rounds. Senator Gillibrand? Senator Gillibrand. Thank you. Just following up on a couple things. You said the Belfer Center already has done a deep dive on how we were hacked and ways to prevent it. Is that true? Dr. Sulmeyer. Senator, the two reports are about the practices that campaigns and State and local officials can take based on field research about what they found as vulnerable and techniques that were effective in the past, so ways to shore up those defenses. It is not going to be that kind of a deep dive like you are---- Senator Gillibrand. Have you distributed that to the 50 States? Dr. Sulmeyer. I believe so, yes. Senator Gillibrand. Have you gotten comments or any response back? Dr. Sulmeyer. It went live today. Senator Gillibrand. So I would like to request that you brief this committee on what the responses are to each of those efforts to outreach the different States and a copy of the report for all committee members so that we have our own first draft of what our 9/11 deep dive might ultimately look like because this has to be done. It is striking to me that there is no sense of urgency by this administration. It is absolutely crazy as far as I am concerned. I want to work towards elevating this issue, and your work will help us do that. Dr. Harknett, you mentioned in your comments that bots do not have free speech rights. I could not agree with you more. So what kind of legislation do you think we could write or could be written to say we expect these platforms, whether it is Facebook or Twitter or Instagram or any other online community, to not sell its technology to fake entities who are posing as real people? The reason I say that is it is simple fraud, as far as I am concerned, because you are doing it for the purpose of changing someone's mind, distracting them, giving them false information. I believe it should be illegal under the same analysis that we have for fraud statutes. How would you go about trying to take away those free speech rights that are given to non-entities today? Dr. Harknett. Thank you, Senator. So I am not a lawyer, but I would build on what you just said. I think the notion of our default to fraud--so if in fact what you are trying to sell is trend, if that is the actual operative thing that you are trying to--then that actually should be capturing human behavior. We really have to think through--I mean, this is very tricky. But legislatively we have to separate out human behavior from automated behavior, and automated behavior can be classified as falsification of trending, if you wanted to capsulize it in that fashion. So I think the notion of understanding technical manipulation of the space is not smart marketing. It is manipulation and therefore should be out of bounds. Can I make one quick comment on your deep dive? Senator Gillibrand. Yes. Dr. Harknett. I would look as another example, Eisenhower's Solarium exercises back in the 1950s. President Eisenhower said, okay, what is going to be our macro level grand strategy? Set up three competing teams to come up with what those strategies should look like, and that is where containment and deterrence came from. It is an interesting alternative approach, but we get at the same sort of things that you are looking at. Senator Gillibrand. Like a national competition? Dr. Harknett. Well, he brought together three very specific groups of experts. They were given access to classified information, but they worked as independent teams. Then they were brought together to knock heads over what the best route to a grand strategy looks like. We do not have a cyber grand strategy, and we do not have a grand strategy for cyberspace. I can tell you the Chinese do. They have announced it. They are going to be the number one AI [Artificial Intelligence] country by 2030. We need to start to think in those kinds of grand strategic terms. Senator Gillibrand. Other thoughts? Mr. Butler. Yes. Senator, I would build on the Honest Ads Act. You have got elements in this particular legislation which gets to what we want online platforms to do. They can identify botnet infrastructure and are beginning to identify infrastructure that has origin in elements that are nefarious. I think I would add to that as one way of kind of tackling this issue. The second point. I do not want to disagree too strongly with my colleagues here, but I have worked in the private sector and I have worked on the public sector side. I know that there are models that can work to align incentives. The enduring security framework is a good example of that. We have had it work before. When you show private sector and national security government elements working together a threat of this magnitude and you provide some type of limited liability protection, you can get there. It took us a long time with Facebook, Twitter, and Microsoft to get to pulling terrorists' data offline, but they are doing it now. My sense is the sooner we get into this process with creating an alignment of not only incentives but understanding of the problem--and again, it is not with everyone. It is with folks who can do things on scale and really help us as a nation. Senator Gillibrand. Thank you. Thank you, Mr. Chairman. Senator Rounds. Thank you, Senator Gillibrand. First of all, let me just take this time to say thank you very much to all of our witnesses for your time. You spent an hour and a half with us today. It has been greatly appreciated. I would suspect that we will be speaking again in the future as we continue to learn more about the challenges and the threats that face our country. It is not going to get better. It is going to get worse. We all recognize that. Our challenge is to make sure that we have the right long-term strategies and that they are being properly implemented. As such, I think we have got a lot of work to do. With that, once again, thank you. Thank you for the participation of our members here today. At this time, this Subcommittee meeting is adjourned. [Whereupon, at 3:53 p.m., the Subcommittee adjourned.] APPENDIX A [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]